This is a discussion on x509 patch for SSH - openssh ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, been trying the x509 patch for ssh from Roumen, it works great. However, I can't figure out couple of things, and been trying to solve it for couple of days already. I'am ...
-----BEGIN PGP SIGNED MESSAGE-----
been trying the x509 patch for ssh from Roumen, it works great.
However, I can't figure out couple of things, and been trying to solve
it for couple of days already.
I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g
with 6.1 version of your patch.
The serverside hostkey is configured correctly, to present x509v3-sign-rsa
dynowork / # ssh-keyscan pingo
# pingo SSH-2.0-OpenSSH_4.7p1-hpn12v19
pingo x509v3-sign-rsa Subject:CN=pingo.dmz.arhont.com,OU=IT,O=Arhont
Hoever, in the situation, when the clients that haven't been patched to
support x509, just could not connect giving the following error:
no hostkey alg
Is it possible to circumvent this apart from also specifying the dss
key, that non-patched clients would understand.
The second problem is with clients that are patched, but for one reason
or another there is no x509 store setup on the client.
They just give out the following error:
Ltd,C=GB', error 20 at 0 depth lookup:unable to get local issuer certificate
ssh_verify_cert: verify error, code=20, msg='unable to get local issuer
key_verify failed for server_host_key
Is it possible to have a situation when if there is no x509 store set up
on the client, it would simply revert to the password based authentication?
I have tried setting
but with no effect, same error appears.
I would appreciate your help.
Konstantin V. Gavrilenko
Arhont Ltd - Information Security
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
openssh-unix-dev mailing list